Most of the discussion in the previous sections applies equally as well to active threat neutralization conducted on behalf of non-military government agencies. The Department of Homeland Security has the responsibility for seeing to the cyber protection of non-military government agencies, and to the best of the committee’s knowledge, neither DHS nor any other part of government has been given the authority to conduct active defense on behalf of these agencies.
The primary difference between protection for government agencies and for the private sector is the fact that the actions of government agencies are subject to government control and direction within the limits of statutory law and constitutional restraint, whereas the U.S. government has exercised little influence apart from the bully pulpit today to direct or even influence the actions of much of the private sector regarding cybersecurity, a notable exception being private sector companies that are subject to strong government regulation, such as the financial sector or companies in the defense industrial base, or that provide key services to the federal government. (Whether this “hands-off” stance of government toward the private sector will continue to be the case in the future is not clear.)
This difference is perhaps most important regarding issues related to the determination of the threshold at which an active defense is appropriate. A private party setting the threshold is highly unlikely to take into account the overall national interest if it is given a free hand in determining that threshold, whereas a decision by government on the threshold is supposed to do so, at least in principle. That is, an action by a government agency is, in principle, coordinated throughout the federal government and that interagency process is responsible for ensuring that the overall national interest is indeed served by that action.
A variety of pragmatic issues are also easier to resolve when government agencies are at issue. For example, through executive order the President can direct federal agencies to share data about the scope and nature of any cyberattacks they are experiencing. Such information is necessary to determine the overall scope of any attack and thus to determine the nature of any active defense required. But most private parties are currently under no such obligation to provide such information to the federal government.21
Certain private parties subject to government regulation may be required to provide information under some circumstances—financial institutions, for example, are required to notify their regulatory authorities if they experience significant cyber penetrations, although this requirement is not a real-time requirement.